How to protect your computer from malicious cryptomining

Noticing that your computer is running slow? While sometimes a telltale sign of infection, these days that seems doubly true. And the reason is: malicious cryptomining. So, what, exactly, is it? We’ll tell you how bad this latest malware phenomenon is for you and your computer, plus what you can do about it.

Definition

Malicious cryptomining, also sometimes called drive-by mining, is when someone else is using your computer to mine cryptocurrency like Bitcoin or Monero. But instead of cashing in on your own computer’s horsepower, the collected coins go into the other person’s account and not yours. So, essentially, they are stealing your resources to make money.

Cryptomining can sometimes happen with consent, but unfortunately these occasions are rare.

Salon.com gave its site visitors the choice to view ads or let them mine your computer

How bad is it?

If the duration of the cryptomining is not too prolonged and you are aware of what is going on, then it’s not that big a deal for regular computer users. When you are not aware of the mining activity—which is the majority of the time—it is a theft of resources. This is because cryptomining takes advantage of your computer’s Central Processing Unit (CPU) and Graphics Processing Unit (GPU), running it at higher capacities. Imagine revving your car engine or running your air conditioning while driving up a steep hill.

If cryptomining is too prolonged and running at, or near, the maximum of what your computer can handle, it can potentially slow down every other process, shorten the lifespan of your system, or ultimately brick your machine. And obviously, any malevolent threat actors want to keep using as many of your resources for as long as possible.

Finding the origin of the high CPU usage can be difficult. Processes might be hiding themselves or masking as something legitimate in order to hinder the user from stopping the abuse. And as a bonus to the cryptominers, when your computer is running at maximum capacity, it will run ultra slow, and therefore be harder to troubleshoot. Besides the theft and the slow, possibly damaged computer, being cryptomined could also make you more vulnerable to other malware by introducing additional vulnerabilities to your system, like in the case of the Claymore Miner.

Local or website?

When you notice high CPU usage and suspect it might be malicious cryptomining, it is important to know whether it’s being done in your browser or whether your computer itself is infected. So the first thing to do is to identify the process that is gobbling up your resources. Often using the Windows Taskmanager or MacOs’s Activity Monitor is enough to identify the culprit. But, like in the example below, the process may have the same name as a legitimate Windows file.

In case of doubt about the legitimacy of the process, it is better to use Process Explorer, which allows you to see the parent process (what started the suspicious process) and the location of the file. In the same example as we used above, Process Explorer shows you the path is different from the legitimate Windows file and the parent process is strange.

And if you have the VirusTotal check enabled, you will see that the file itself and the parent are widely detected. (The Chrome detection 1/66 is a false positive by Cylance). Knowing this, you can stop the process to speed up your system and then start working on removing it.

Finding the offender, however, is harder when the process is a browser like in the example below.

Of course, you can simply kill the process and hope it stays away, but knowing which tab/site was responsible does provide you with information that can help you avoid it from happening again. Chrome has a nifty built-in tool to help you with that. It’s called the Chrome Task Manager. You can start it by clicking “More Tools” in the main menu and choosing “Task manager” there.

This Task Manager shows the CPU usage of the individual browser tabs and of the extensions, so if one of your extensions included a miner, this will show up in the list as well.

Note that the Chrome Task Manager sometimes shows over 100 CPU usage, so I’m not sure whether it’s a percentage.

An alternative method that can also be used in other browsers is to disable extensions and close tabs in reverse historical order. If disabling an extension does not help, it’s easy to re-enable it. And if closing a tab does not help, you can use the “Reopen last closed tab” option in browsers that have this option, such as Opera, Chrome, and Firefox.

Firefox’s reopen last closed tab is called “Undo Close Tab”

How to protect against cryptomining

Malwarebytes stops the installation of many bundlers and Trojans that drop cryptominers on your system. We also block the domains of the most abused scripts and mining pools.

Another option, if you don’t have Malwarebytes, is to block Javascript in the browser that you use to surf the web, but this could also block functionality that you like and need.

If you want more specialized blocking capabilities there are programs like “No Coin” and “MinerBlock” that block mining activities in popular browsers. Both have extensions for Chrome, Firefox, and Opera. Opera’s latest versions even have NoCoin built in.

Summary

Cryptomining can be done locally on the system or in the browser. Knowing the difference can help you remediate the problem, as both methods require different forms of protection. The solutions are almost as popular as the problem, so choose wisely, as there may be frauds out there trying to grab a portion of the market.

May 9, 2012 - At Malwarebytes we are a bit obsessed with protecting our users, which causes us to approach our jobs from all sorts of different angles. One of my favorite aspects of this is how we tackle malware right at its source: the servers that deliver it. Our team works around the clock to identify and block...

May 24, 2012 - Back in 2009, I wrote about a telephony based scam that had gained momentum, and which sadly appears to have grown since then — invading other countries and scamming more victims. Since then, various other people, including my friends at Microsoft, have been investigating the companies involved, to try and both raise awareness and shut...

June 29, 2012 - This week, there is a lot of media hype over emails being sent to users of the Royal Bank of Scotland and NatWest because of severe IT issues making it impossible for users to access their accounts online. The emails offer users the ability to log-in to their accounts and provide a link to the...

July 3, 2012 - “Over the years, phishing attacks have changed, as with most things, and have been segmented into different groups of variants.” –Me If there is one thing you can say about cybercriminals, it’s that they are adaptive. As I mentioned last week, phishing attacks have evolved from just fake web pages and official looking emails to...

July 13, 2012 - Over the last few weeks I have described numerous methods of phishing attacks and a few examples what they do or may look like. In this final installment, I will shed some light on how phishing attacks are done and a few real world examples of techniques used by Phishing scammers. Finally, I will discuss...